Nearly a quarter of people (23 per cent) polled in a survey by Symantec use their browser to keep tabs on their passwords.
A survey of 400 surfers by Symantec also found that 60 per cent fail to change their passwords regularly. Further violating the 'passwords should be treated like toothbrushes' maxim (changed frequently and …

COMMENTS

Easier said than done...

A lot of sites don't allow special characters, others don't discriminate between lower and upper case (WoW, I'm looking at you...), so often the user has to accept a lower level of password security than they would like.

I'm a wee bit in the middle for security - I don't allow my browser to store passwords for what I think of as sensitive sites (and I don't use web based banking at all), I use different passwords for different sites, but I have to confess that I don't change them often enough.

OTOH, if anyone wants to hack my mail, all they'll find is how dull my life really is, and if I did have my bank account compromised they'd be the lucky recipients of 3 groats 2 shillings and thruppence ha'penny - I'm lucky in a way, what you don't have, can't be taken...

All the Long, Random Passwords You Want

We all need a password manager and then can easily manage hundreds of unique long, random passwords having serious strength. I have been happy with free LastPass.com, which encrypts locally and then saves the result in the clouds. There are versions for various browsers and OS's. There is a local "portable" version. The Firefox add-on saves an encrypted copy locally, for when the cloud is down (perhaps to access a router password). Passwords are easily accessed from different computers, either for normal work, or in an emergency. As in any password use, the local computer does need to be bot-free. I recommend booting Puppy Linux from DVD for online browsing.

strategy about as bad as a single password for everything

Imagine that a single password of yours is hacked. If I was a hacker and bruteforced/phished/intercepted/socialengineered your ebyourwordhere password, I'd directly head to amazon and log in as you@googlemail.com, pass:amayourwordherezon. Or better yet, try out cityyourwordherebank...

Or even if there isn't a hacker. In university, I had to submit solutions of homework assignments with a hard deadline. Miss a deadline, and you cannot write the test in this subject. So one day I was somewhere, when I realised that I have to submit a homework within two hours, and that my solution only exists on the HDD of my laptop... which I'd left on the docking station in the office where I was doing an internship. There was no way to reach the laptop within two hours, so I just called a co-worker, gave him the password for my account, and he sent me the file, which I successfully submitted. As soon as I got to my laptop, I changed the password, matter closed. If I'd followed your password creation strategy, I'd have had to choose between the guy easily guessing all my passwords and postponing the test by two semesters.

The only way it is more safer than "same pw everywhere" is when a hacker gains access with account of yours by circumventing a password rather than obtaining it.

Did we really need Symantec to tell us this?

Did they even really need to do the research. They could have just cut&pasted the results from any number of previous surveys, instead. Of course users let their browsers to store their passwords for them: their browsers prompt them to do so.

Also, I don't go along with this 'change passwords frequently' crap. The toothbrush analogy is one of those trite-isms that sounds terribly wise - until you realise that what is being advocated, is a system that forces users to rotate between a handful of memorable-enough passwords, on a regular basis - or, worse still, forces them to think of some new, unique (and, therefore, in all likelihood, even easier to remeber/guess) password, every few weeks or so (and then immediately begins prompting them that their password is about to expire in a few weeks, of course!)

Just let the user select one, secure, password; tell them not to share it; tell them not to write it down; sack them if they do either of those things, and let them keep the damn thing for all eternity... If you really think someone might be trying to force-crack your password system, then any attack worth bothering with is going to take far less time than your enforced password-changing regime. Maybe you should be considering moving to a more secure password system, instead of beating up your users?

While we're on that tack, let's have a survey of all the applications that don't enforce passwords correctly, store the results in plain text, allow multiple users to share a session, embed human-readable data in things like querystrings, or just run the entire application logged in to the database as root/sa - with a blank password?

The sites them selves don't help

Most sites, including banks force you to use woefully short passwords without punctuation. Their own policies are so stupid and incoherent that the only explanation is that they were created by their marketing departments rather than someone with basic IT skills...

Most people get their browser to remember their password because they have far too many to remember by hand. So few sites use any reliable form of single-sign-on so most users have little or no option.

There are tools that can help but most people don't have them or use them. I use GPG to lock down the really important things I need but don't want to have to remember.

You need look no further than "Insecured by Visa", for an example of how poor on-line security is.

Insecured by Visa..

..is easy to work with. Every time it prompts me for the nth, rd, nd character I launch Notepad then type my password in with digits beneath it. That way I find that I stand a reasonable chance of getting it right.

Doesn't do much for my security but it probably makes Visa feel happy and /that/ I'm sure is the whole point.

Banking websites are the worst

This reminds me of the joys I had with a HSBC owned bank locking me out each time I tried to log in as they let me set a 15 letter password (but only stored 9 of them).

A now non existing bank who's telephone banking security question was set to a question they had asked me when I had opened the account as a student 10 years previous - This same bank had a bunch of memorable questions that were case sensitive but gave you no way to check or change them - stupid considering you never entered them in some cases.

All of this is of course trumped by the joke that is verified by visa and it just reset the password by email without any checks.

At least the social notworking sites have api's to let you authenticate with them and pass a token around - something the banks could have cleaned up on if they had some braincells to rub together considering how much they know about everyone.

Plain text

Agree with most of the above, especially the impossibility of remembering multiple, constantly-changing passwords. One thing the article doesn't mention is that browsers store passwords in plain text . I was expecting details of a hacking attack that stole the browser password file.

On a completely separate note, if you want readers to vote on comments, get some bleedin' ajax on your site so we don't have to wade through two page loads just to register a single thumbs-up or -down..

Ah

Ah, but if they incorporated AJAX for the thumbs up/down buttons, then they'd never have any votes logged, for if you haven't read most of the comments, everyone seems to be browsing the web using "security by obscurity" browsers or NoScript-enabled ones such as Lynx (complete lack thereof) or FireFox and the like.

For those "normal" people willing to have acceptible risk vs functionality, I second the AJAX motion.

voting process

Good point about the voting, I feel in the same way. But OMG, Ajax! It could inject some malicious code and completely compromise all the temp files stored in the RAM by the live Puppy CD I boot from whenever I want to go online! We reg readers have to defend our title of Most devoted noscript users on the entire interwebs. So if someone at el reg thinks that we'd sacrifice our paranoia^H^H^H^H^H^H^H^H security for some noob concept like usability, and implements client-side voting, we actually won't be able to vote at all.

*now I have to post this*

*what was my reg password again?*

*damn, I only remember the first 18 characters*

*oh yes, 19th to 23 are the Viking runes. Now where did I put the Unicode table?*

*grr I have to start typing password again, at 28 put in code for a ვ instead of a ე*

Wrong

"Firefox 3.5 and later versions use the file signons.sqlite to store the encrypted names and passwords."

Keyword: encrypted. If a user is foolish enough to not use a password for the manager then that's their issue but in general this is as safe as you'll probably get without storing long complicated passwords in the grey locker.

Re : Plain text

This is understandable

Obviously everybody just wants to get on with their life, having to remember the password you made up just two days ago just isn't in keeping with that.

In general though, and in a far-flung utopian universe, wouldn't it be nice if hackers actually got caught far more regularly than they do now?

Here's a story about why this doesn't happen:

My company has recently been told that our merchant bank no longer offers us Credit card facilities, not because we have had charge backs - in fact we have a perfect record. This has actually happened because the bank has chosen not to offer merchant facilities to companies that sell hosting!

They've done this because the card scheme would require them to investigate when suspected wrong-doing occurs where they have a relationship with the host. If they don't have a direct relationship with a host then they don't have to act. i.e. wrong doing doesn't get investigated because banks (or one specific bank) are free to turn a blind eye to it to save money!

Could this be why ordinary folk don't take their passwords seriously?

Just done a quick count up.

I have 233 passwords, along with their associated login names, user names, screen names and email addresses noted in the text file I'm forced to use cos my brain doesn't have the capacity to remember the necessary random bits of snippets that aren't related or traceable to me or my life.

I also have notes of 22 verbal passwords I'm expected to use when talking with various service providers on the phone.

14 PINs

3 gate/door pass numbers

5 physical descriptions of key rings on which are kept various friends and neighbours house key emergency copies

3 anti-theft codes for in-car hifi

and a separate file with 61 software registration or installation codes.

Why do I have to create an account to...

buy something?

see a price?

access some types of (otherwise free) information?

"recommend a post" in a discussion?

contribute to a discussion?

look up a phone number

look up a postcode?

subscribe to a newsletter?

obtain software updates?

report a bug?

download free stuff?

get tech support?

etc..?

PS: For those security experts freaking out right now: Said text file is encrypted with a fiendishly long and complex passphrase, kept on an encrypted partition of a USB key drive, plugged into the back of my Mac and attached to the wall behind it with a sturdy sink plug chain! Every night the encrypted partition is backed up to an off site server. Not absolutely fool-proof, I know, but it's the best balance of ease of use and security I could think of.

This one is easy...

The answer to most of your above list is "spammers". Until forums required a registration (valid email address + captcha + whatever), they used to be overrun with spammers posting "buy viagra" (or whatever) posts.

Welcome to real life, where a small minority can make life a pain for the rest of us. :(

And also...

When you buy something online, we, er, sort of need to know where to send the goods you've ordered, and to be able to track your order if you contact us with questions. Since you have to enter your contact information *anyway* for us to send the goods to you, we kinda have to store that info in an account. How else exactly are we supposed to process your order?

Buying online isn't like walking into a shop and asking for 2 Mars bars and a litre of milk, that's six fifty thanks, see you later. Be good if you could teleport cash over the internet and we could teleport the goods to your location, but until that technology becomes available, we're stuck with doing it the clumsy old way of storing your order info on a computer so we can process and ship it.

Can't be arsed having yet another username and password to keep track of? Well - what would you prefer? That we just keep that information in the open where anybody can look at it? Or just lock it away so you can't?

I'll see your text file....

... and raise you an HTML page! I have a similar setup, but use an HTML page, with all the site names, user-id's and passwords. So I can just right-click on the link, and copy&paste the UID and password.

File is decrypted at startup of Firefox, and encrypted again when I close FF down (done in a script)

It's not the users' fault... usually

Quiz! Which is more secure: sjst,ib^ogs!cxa or ASDFasdf1234? According to most websites out there, the latter, because it has numbers and upper case.

On an average US keyboard, there are 94 different characters you can use. That means for an 8 digit password, you can have as many as 6.0957 * 10^15 passwords. If one of those characters must be an uppercase letter, one must be a lowercase letter, and one must be a digit, you're suddenly at 4.9612 * 10^13 possible combinations; if you can't use symbols, you're at 6.1931 * 10^12 possible combinations. The more limits you have, (like "no repeating letters" or "can't look too much like your last password"), the fewer password possibilities there are.

If you want to make your site "secure", fix the problems on your site, not the user side. Enforce a simple security policy on the user side - at least 8 characters, use at least one non-alpha character, don't use a password on our "bad password" list. And then lock down the log in system - sure, there are systems that can check eleventy billion passwords a second, but if your system only allows a log in attempt every 30 seconds, then it doesn't matter how fast the query is. If the cracker gets into your password database, well, it doesn't matter how secure they passwords are, they're compromised.

I'm alright

name of pet

Male Cow Excrement

"The net security firm advised computer users to pick a mix of numbers, letters, punctuation, and symbols when picking passwords."

A password like "BookAlien" , "SwitchCheese" or "jumpCable" is easily secure enough; the problem clearly is with A) people using totally stupid passwords like "123", "qwerty" or their first name OR B) broken authentication systems that allow for brute-forcing.

Proper systems will present a good CAPTCHA after ten bad tries and/or will slow down the checking process. If you can issue a password every 5 minutes (after ten bad attempts), this means you can do about 300 tests per day. As there are about one million words in the english language, a system of two simple, unrelated and unguessable words is totally secure: 1E12/2/300== 1666666666 days (4.5 million years) are needed to guess a password on average.

The suggestion with the special characters was only necessary during the time of publicly viewable /etc/passwd files on Unix. That was about 15 years ago.

Try a wrong password a couple of times with Google Mail and you will see how a good system works.

So what?

The point these surveys always miss is that people nowadays have passwords for dozens of things, most of them thoroughly trivial. Sure I use stupid passwords for things I don't care about. For the rare financial stuff or anything else that seems important I use stronger passwords.

The Solution

The solution is simple. First create an imaginary life for yourself. Make sure you populate it with plenty of characters and cool thinks. Now you can use the nameof your imaginary pet as a password, no one will guess it.

Want even more security? create a secret codex, this is even cooler as it's a codex like Da Vinci's (surely the coolest techie ever?) (Da Vinci is a char from history popularised by Dan Brown). Create your codex by writing down all the letter you use then map them to a set of chars.

Wow cool, not you can browse safely as long as you do it well away from cliffs and objects with sharp edges.

Exactly what I've done

Many of my passwords are place-names from my imaginary world. I have a large and highly detailed map with literally hundreds of places identified on it, along with a load of rendered scenes depicting that world. I then just associate a website in my mind with a place in that world, and bam - unique easily-remembered impossible-to-guess passwords!

Re : Exactly what I've done

My password for The Register is quite weak

And is the same as for several other sites.

When trivial participation in a web site requires registering an account name and password... when there are dozens of these that you may use... when there isn't one universal sign-on service (which I think we expected would be evil, but now I've forgotten why)...

Maybe trivial sites that you also only use once in a while should ENCOURAGE you to use a pet's name or abirthday, or a pet's birthday, as your password with them. Someone will have to dig moderately deeply to steal it and it won'tbe much use to them. But then I suppose there would be immediately created an evil personal data search network that holds the birthday of everypet in the world, just to get past that password question more easily. In fact I thin-!k it has anyway...

Re: and also...

RE: "When you buy something online, we, er, sort of need to know where to send the goods you've ordered, and to be able to track your order if you contact us with questions"

But many shopping sites have the option to manage without this. Instead, for tracking, you can log onto the site with order number and email address (unlikely for someone to guess) for tracking. Based on the order number having been emailed to you. In terms of storing a shipping address in an "account" , obviously you can just store this in a database indexed by order ID. No need for accounts.

sure, you probably only want this to give access to that single order, not all of your orders. And you may want to only allow tracking or questions, not cancellation. And also, people be willing to sign up for an account for a few commonly used sites like Amazon, but not all sites.

Essentially, I'm arguing that for an obscure site you only go to once, the combination of (email,ordernumber) corresponds to a form of (username,password). At least assuming you don't have access to the user's email or have such a tiny number of orders that the order numbers are just 1-10.